Skip to main content

Active Directory & Domain Environment Audit

Purpose

This solution document delineates the contents applicable for monitoring the Active Directory Domain environment. Please review the implementation steps meticulously as a significant portion of the content relies on the Active Directory plugin.

This article encompasses multiple components and contents. Please import and implement only the required components.

Associated Content

Internal Monitor

ContentTypeFunction
Active Directory - Sync Out of DateInternal MonitorThis monitor looks for the AD server that has been onboarded for more than 30 days and is experiencing a credential issue in the Active Directory Plugin.
Active Directory - New User Account CreatedInternal MonitorThis monitor looks for new domain user accounts that have a creation date within the past day. A ticket is created for each new account discovered.
Active Directory - Monitor - Password Expires This Week [G]Internal MonitorDetects the domain users whose password is going to expire within a week.
Active Directory - Enabled Test AccountsInternal MonitorThis monitor will look for any account with the name Test in the account name and will flag that account if it is enabled on the domain.
Active Directory - Account DisabledInternal MonitorThis monitor looks for the disabled accounts on Active Directory servers through the Active Directory plugin and creates a ticket for each one found.
Active Directory - User Last Logon > X DaysInternal MonitorThis monitor will check for users who have not logged in for more than X days and are not administrator accounts.
Active Directory - Active Computers in AD with No AgentInternal MonitorThe monitor set generates a client-level ticket containing details of domain-joined computers active within the domain, which have been joined to the domain for at least 7 days but do not have the Automate agent installed.
Active Directory - ADPluginUser - Create/UpdateInternal MonitorThe purpose of this monitor set is to create an 'ADPluginUser' account for the domain controllers detected in AD Plugin.
Active Directory - GPO ModifiedInternal MonitorThis Custom RAWSQL monitor shows GPO modified time on the computer if the GPO was modified in the last day.

Remote Monitor

ContentTypeFunction
Reset AD Users Password AgeRemote MonitorThis remote monitor checks AD user's login password age to see if the age is set to unlimited, and if so it will change the user password from never expire to expire and will also change the Default domain policy password age to 90 days.
New Domain AdminRemote MonitorThe purpose of the remote monitor is to detect the newly created/promoted domain admins and create a ticket.
AD Recycle Bin State CheckRemote MonitorThis is a remote PowerShell monitor which detects whether the AD Recycle Bin is enabled or disabled on Windows Active Directory servers.
AD Account Lockout DetectionRemote MonitorThe monitoring system is set up to gather data on event ID 4740 that occurred within the last 15 minutes and to generate an alert with the relevant information.
Active Directory Replication Anomaly MonitoringRemote MonitorThe monitor set operates on a cluster of Primary Domain Controllers (Infrastructure Masters) for each domain, triggering a failure alert upon detecting any Active Directory Replication Failure.

Script

ContentTypeFunction
AD - Enable AD Recycle BinScriptThis script enables the AD Recycle Bin. Microsoft TechNet Article
Weak Passwords - AD TestScriptThe script tests the hashed credentials in AD against a known compromised or weak list.
Active Directory - Plugin User Account - Create/UpdateScriptThis script will create/update a domain admin account to be used with the AD plugin with a random password.
Group Policy - AuditScriptThis process will execute PowerShell to gather GPO data.
AD - Create Views/Table/Schedule for AD Reporting SolutionScriptThis creates all of the needed items in the Database to ensure the Active Directory Reporting Solution functions correctly.
ScreenConnect - AD Plugin - Sync Out of Date [Ticket,RMM+]*ScriptThis script is intended to be used as an auto fix for the Active Directory - Sync Out of Date internal monitor. This script will not function if run manually.
Active Directory - Alerting - Password Expires This Week [Global,Autofix]*ScriptThe script covers the alerting section of the Active Directory - Password Expires This Week [G] monitor set.

Dataview

ContentTypeFunction
AD UsersDataviewThis dataview displays all users associated with a domain and general information about all the users.
Active Directory - Domain Groups and MembersDataviewThis dataview shows you all domains and their respective groups and a corresponding list of members.
Group Policy ObjectsDataviewThis dataview shows information about GPOs, their applied policies, where they are linked to, and to what trustees they are applied to.
Group Policy SettingsDataviewThis dataview shows information about GPOs, their applied policies, and settings.
Group Policy Object LinksDataviewThis dataview shows information about GPOs, their applied policies, and where they are linked to.
Group Policy Object Security FilteringDataviewThis dataview displays information related to Group Policy Objects in Active Directory, specifically related to security policies.

Report

ContentTypeFunction
Report - Active Directory User AssessmentReportDisplays an overall health view of the Client's Active Directory along with a full user report.
Report - Active Directory User Groups - DetailReportDisplays a complete user list with all groups that each user is in, along with an overall view of what groups are used the most.
Report - Computers in Active Directory - No AgentReportDisplays a list of all computers that are in Active Directory but not in Automate. Can be used to clean up Client Active Directories.
SubPageHeaderLandscapeSubreportUsed as the template for the page header on these reports.

Implementation (Active Directory Plugin Dependent Solutions)

  1. The solutions presented in this section rely on the functionality provided by the Active Directory plugin. Therefore, it is imperative to verify that both the Active Directory and Active Directory Remote plugins are correctly installed and operational within the environment.

  2. Active Directory Reporting Solution

    Follow the steps outlined in the Active Directory Reporting Solution document to import and configure the following reports:

  3. Active Directory - Sync Out of Date

  4. Active Directory - New User Account

  5. Active Directory - Password Expires This Week

  6. Active Directory - Enabled Test Accounts

  7. Active Directory - Account Disabled

  8. Active Directory - User Last Logon > X Days

  9. Active Directory - Domain Computers Missing Automate Agent

    • Import the Active Computers in AD with No Agent internal monitor from the ProSync plugin.
    • Import the △ Custom - Ticket Creation - Client alert template from the ProSync plugin, if it's not already present in the environment.
    • Import the Ticket Creation - Client script from the ProSync plugin, if it's not already present in the environment.
    • Reload the System Cache.
    • Assign the △ Custom - Ticket Creation - Client alert template to the Active Computers in AD with No Agent monitor set.

  10. Active Directory - ADPluginUser - Create/Update

  11. Active Directory - AD Users

  12. Active Directory - Domain Group and Members

Implementation (Independent Solutions)

  1. The solutions presented in this section do not rely on any plugin.

  2. Group Policy Audit

  3. Reset AD Users Password Age

  4. New Domain Admin

  5. Enable AD Recycle Bin

  6. AD Account Lockout Detection

  7. Active Directory Replication Anomaly Monitoring

Changelog

2026-05-18

  • Document enhancement only

2025-04-10

  • Initial version of the document